Reader whencanistop writes with some details on an upcoming EU law that slipped under the radar as it was part of the package containing the “three strikes” provision, which attracted all the attention and criticism.

“A couple of weeks ago we discussed the EU cookie proposal, which has now been passed into law. While the original story broke on the Out-law blog from a law perspective (‘so breathtakingly stupid that the normally law-abiding business may be tempted to bend the rules to breaking point’), there has now been followup from a couple of industry insiders. Aurelie Pols of the Web Analytics Association has blogged on how this will affect websites that want to monitor what people are looking at on their sites, while eConsultancy has blogged on how this will impact the affiliate industry. In all of this the general public is being ignored — the people who, if the law is actually implemented, will have to proceed through ridiculous screens of text every time they access a website. I know most of you guys hate cookies in general, but they are vital for websites to know how people are accessing the sites so they can work out how to improve the experience for the user.”

There was a monumental response on the site with over 400 comments. So I thought I’d put an update on here, given that I didn’t have enough time to respond to them all at the time (plus I’d been to the pub and had a beer, so my arguments started making less and less sense).

You don’t need Cookies/Tracking to make a site better – you can do this with Usability testing

Can you do everything you need to do through usability testing to make your website better? You certainly need to do usability testing. I think I’ve said on here in the past that one of your key performance metrics should be a measurement from ‘voice of the user’. Is that enough? Can you get everything you need from usability and asking users. Lets see what we can get from those things:

We can ask users how they accessed the content – this will give us good impressions of where they were and how we can build up that scent so that we can get them to stay longer. This may not be completely accurate though, because they might not have realised where they were, or they might have forgotten and made something up

We can ask them which content they accessed – this will tell us what they were looking at, we can even ask them if they thought it was good and matched what they wanted. Again this suffers from the same as above

We can watch what they do to try and improve usability – from watching them scroll, matching their eye patterns to parts of the screen, even where they are trying to enter text into a field to see how they do it. This is amazingly useful in telling us how to build our pages and journeys up

What do we not get from usability? Well we can’t ask everyone, essentially is the real problem. Your choices are:

Take a representation of what you think your audience are and invite them into a room to observe

Ask everyone on the site, throw them a popup and hope that a decent few respond

Use an existing customer database

Really to do any of these things you want to make sure you are targetting in the right way. Eg I am under no disillusions that the people who arrive at the home page of this blog want something completely different to those that came in to the most popular post.

The usability testing will give us ways of improving a user’s journey through the site to get to the point where we want them to be (either at a conversion where they give the site owner money or at a non-monetary valued conversion). It will not tell you if the users are actually doing it or not. For this – you need to use your analytics to find out.

You can store session information in GET/POST of your links/submit buttons

As pointed out in Slashdot – you can technically create a unique url for each of your GET/POST items so that it contains information on a users session. As also pointed out, there are several reasons why you wouldn’t want to do this:

You’re exposing your session ids to anyone who you then link off to through your referrer information

You’re exposing your session ids to anyone who is doing any packet sniffing (although this could also be true if you were using cookies)

You’re doing some very complicated coding for something that could be done much more easily through cookies (or indeed is being done much more easily through cookies and thus making companies change)

It doesn’t work for tracking in the real world for static content (non-secure). The world is built on links. I’ve got lots of them to other sites in this commentary already. Imagine if each of those links had a session ID included in it for my visit. Every time you clicked on the link, the person on the other end would think it was me again. Now imagine that I posted one of those links to Slashdot – it would get thousands of views and become worthless in terms of tracking

If you want to read it, there was a very good response from Pieroxy on the security implications off putting session ID or even anything on the client side when creating transactions.

Ok, I’m mocking a little bit, because this money is made for them through advertising. But one website’s advertising income is another website’s Marketing budget. If the company didn’t get any return on their marketing budget, they wouldn’t spend it.

How do you find out how much money you make through your advertising budget? Well you can do it the old fashioned way as people did with old style media (telly, radio, print, inserts, door drops, etc) – which basically means you take your sales results over time and map any differences in performance to timings of advertising campaigns (guestimating is probably the word you would use). Or you can do it in the new fangled way which is to offer the user a cookie and then when they get to the sale page you can link that back to the advertising campaigns they saw.

Want to know why online advertising is seen as less valuable than offline media – it because of the reason above. You should probably do both options to get a comparative figure for your online advertising compared to your offline. Also because of the current ‘last click wins‘ attribution, you lose information about cumulative effects when you measure via this way.

But that isn’t all of it. No. You see, advertising works in several ways. Another way advertising works is by affiliate websites. There are lots of them. You probably only think of traditional affiliate sites that are just link farms. But there are lots of others. All of your price comparison sites run solely on affiliate deals. Invariably these sites measure how much money they should make based on the cookie that they give you when you click off their site (plus an image that they put on the final websites thank you page telling the affiliate you’ve paid). Imagine if you actually had to get your car insurance quotes from every possible website instead of going to Confused, Money supermarket or compare the meerkat. These sites wouldn’t exist without their affiliate deals (they wouldn’t make any money!).

So if you have a website and do marketing you want to have cookies enabled so you can work out if you are making more money (unless you gamble on the old style approach). What if you don’t spend money on Marketing? All of your visits come for free from people typing in your url, from Google or good will links. Again to be able to find out which visits and how many of them you don’t actually need cookies. To find out which ones are valuable and worth thanking, you do. Because you can’t link this source to that sale without those cookies.

The Government is regulating the tools when regulating the behaviour of those using the tools would be better

I think you could probably sum up the whole proposal by the government with the above. They’ve misunderstood the applications of the cookies and decided to make it difficult for the users. As many on Slashdot have been saying – if you want to stop murders, banning hammers isn’t going to help.

So this is what cookies usually do:

They give you a unique identity so they can monitor your movements from page to page (for tracking purposes or to keep you in a logged in state)

Cookies are set from the originating domain (first party) or from another domain that the originating domain has given permission to

Cookies are read only from the originating domain of the cookie and only if the page you are on contains something loaded from that domain

For there to be any privacy and personal data issues the following would have to happen:

The originating domain would have to give away any information you entered into its page to a third party without you agreeing to it (against the data protection act in the UK)

The originating domain would have to allow a third party to load javascript on a page where you’d entered your personal information and allow the third party to collect that information (this would be lazy and well within legislative rights if an advertising company – for example – did do this

The user already has the right to reject cookies through their browser if they wish. Basically the Government is turning what is a user decision into a website decision. Do I want cookies? I want to decide as a user. The Government is basically telling me with this law that I am not clever enough to work out whether I want cookies in case something bad happens, so they are going to make it implicit that I agree to them.

It seems to me that what you’re saying is that you make a living telling people what they “should” do, and helping them to do things that way. You are being told that your model of doing things is under threat, and your objection is that this will make your life more difficult.

Is he right? Am I biased? God, now I’m confused. Maybe we *should* try and come up with a new way of doing it. Any ideas?